SQL query is a trusted command! The biggest lie believed by the web developers when they are unaware of the ways to tamper the queries. Basically, SQL queries are able to get around the access controls and bypass standard authentication checks and offer access to the host operating system level commands.
A technique that lets the attacker create or alter the existing SQL commands in order to access the hidden data, or to create any other kind of disturbance on the database host can be said as the Direct SQL command Injection. This task can be done by any application that takes the user input and combine it with certain static parameters in order to build an SQL query.
The attacker may create a super user in your database due to the lack of input validation.
WHAT is SQL Injection Attack?
A common interruption strategy to make an attempt for accessing sensitive information from a database is known as SQL injection attack. Even if the database system contains little vulnerability, the computer security can affect the query to the desired database. Firstly, when a query is generated, it will cause the database parser to malfunction, which makes the dealing with SQL injection more important than ever. Recently, the adoption of internet has become a reason for rapid advancements in the Information Technology field.
General population uses internet to gain the information which allows the quick access of the owner’s information while blocking the break-in attempts. It has been found that almost 50% of the databases are used for one or the other important purposes such as financial transaction or educational endeavours.
HOW is SQL Injection Attack launched?
SQL injection can be used through various methods. Here, you will get all the basic concepts of SQL injection. Let us begin with an example, suppose you are on an eCommerce website and have already set some filters for shopping a product, its URL might go like
In order to test this website for SQL injection, you can try appending your SQL injection in the param or 1=1
http://www.completeecommerce.com/categories.php? params=100 ‘OR’1’=’1
If the above injection works and lets you have a glance at the products, it can be said that the website has a vulnerable type of SQL injection. This means that at the backend the script executed as shown: SELECT * FROM Categories WHERE OR ‘1’=’1’ ORDER BY Category Description as the condition 1=1 so this will give you list of all the products.
Suppose a website uses the following logging into the admin panel
http://www.completeecommerce.com/admin/securelogin.php? username=Devit & password=dev.
Now if the above website is vulnerable injection as mentioned in the above example, then by entering any username and password it can let you login into the admin panel.
http://www.completeecommerce.com/admin/securelogin.php? username=dnt & pass word=dnt‟OR‟1‟=‟1
Now, you can login without valid username and password to the admin panel of the website.
WHY?? (SQL Injection Attack Intent)
There can be various reasons an attacker may take over the SQL injection attack.
- Identifying Injectable Parameters
The attacker may need to probe the web application in order to discover the parameters and user input fields that are vulnerable to the attacks.
- Performing Database Fingerprinting
The attacker may want to discover the type and version of the database used by the web application. Various databases respond in a different way to different queries and attacks, which can be used to “fingerprint’ the database. When an attacker knows the type and version of the database, he/she is allowed to craft the specific attacks.
- Determining database schema
In order to extract the data correctly from the database, the attacker requires to know the database schema information such as table names, column names, and column data types.
Types of SQL Injection Attack
This attack means to inject code in one or more conditional statements to make them evaluate to be real. This technique can be mostly used to bypass authentication pages and extract the data. When the attack is successful, the code will either display all the returned records or perform some of the actions when at least one record is returned.
For an example: In this attack, the attacker submits “ ‟ or 1=1 – -”. The query for login mode is SELECT * FROM user details WHERE loginID=‟‟ or 1=1 – – AND flag1=‟‟ The code injected in the conditional (OR 1=1)transforms WHERE clause into a tautology. The query evaluates to be true for every row in the table and returns all of them.
In our example, the returned set evaluates to a not null value, which causes the application to conclude that the user authentication was successful. Therefore, the application would invoke method user_main.aspx and to access the application.
2. Union Query
In union-query attacks, Attackers do this by injecting a statement of the form: UNION SELECT because the attackers completely control the second/injected query and they can use that query to retrieve information from a specific table. The result of this attack is that the database returns a dataset that is the union of the results of the original first query and the results of the injected second query.
Example: An attacker could inject the text “‟ UNION SELECT flag1 from user_details where secureloginID=‟secret – -” into the login field, which produces the following query: SELECT pass1 FROM user_details WHERE loginID=‟‟ UNION SELECT flag1 from user_details where secureloginID=‟secretkey‟ — AND flag1=‟‟ Assuming that there is no login equal to “”, the original first query returns the null set, whereas the second query returns data from the “user_details” table. In this case, the database would return column “flag1” for account “secretkey”. The database takes the results of these two queries, unions them, and returns them to the application. In many applications, the effect of this operation is that the value for “flag1” is displayed along with the account information.
3. Blind Injection
Web applications commonly use SQL queries with client-supplied input in the WHERE clause to retrieve data from a database. By adding additional conditions to the SQL statement and evaluating the web applications output, you can determine whether or not the application is vulnerable to SQL injection.
For an instance, many institutions allow Internet access to the details of their alumni student. A URL for accessing the company’s fifth press release might look like this:
http://www.abccollege.com/alumni.jsp?params ID=5 The SQL statement, the web application would use to retrieve the alumni information might look like this (clientsupplied input is underlined): SELECT academics, course, leavingyear, information FROM alumni WHERE paramsID = 5 The database server responds by returning the data of the alumni. The web application will then format the alumni data into an HTML page and send the response to the client.
To determine if the application is vulnerable to SQL injection, try injecting an extra true condition into the WHERE clause. For example, if you request this URL . . .
http://www.abccollege.com/alumni.jsp?params ID=5 AND 1=1 . . .
if the database server executes the following query . . . SELECT academics, course, leavingyear, information FROM alumni WHERE paramsID = 5 AND 1=1 . . .
Also, if this query also returns the same press release, then the application is susceptible to SQL injection.
Suppose you have a Web-based application which stores usernames alongside other session information. Given a session identifier such as a cookie you want to retrieve the current username and then use it in turn to retrieve some user information. You might, therefore, have code for an “Update User Profile” screen somewhat similar to the following:
execute immediate 'SELECT studentname FROM datatable WHERE student='''||studentid||'''' into username;
execute immediate 'SELECT ssn FROM students WHERE studentname='''||studentname||'''' into ssn;
This will be injectable if the attacker had earlier on the “Create Account” screen created a username such as YYY’ OR username=’HARRY Which creates the query: SELECT ssn FROM students WHERE studentname=’YYY‟ OR username=’HARRY’
If the user YYY does not exist, the attacker has successfully retrieved HARRY‟s social security number. The attacker can create malicious database objects such as a function called as part of an API, or a maliciously named table by using double quotation marks to introduce dangerous constructs.
For example, an attacker can create a table using a table name such as “tab’) or 1=1–“, which can be exploited later in a second order SQL injection attack.
HOW to Prevent SQL Injection Attack?
Stay tuned! 8 ways to prevent SQL injection attack are explained in my next article.
Latest posts by Prasad Oturkar (see all)
- Heroku Cloud Platform – Understanding server and developer benefits for your cloud management - August 6, 2019
- 8 Ways to Prevent SQL Injection Attacks - April 23, 2018
- SQL Injection Attack – Explained - April 16, 2018